[30914] in Kerberos
RE: SASL authentication
daemon@ATHENA.MIT.EDU (Xu, Qiang (FXSGSC))
Tue Mar 24 05:22:55 2009
From: "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>
To: =?iso-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>,
"kerberos@mit.edu" <kerberos@mit.edu>
Date: Tue, 24 Mar 2009 17:21:44 +0800
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C1729058B3A83@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
In-Reply-To: <v34l96-gkf.ln1@nb2.stroeder.com>
Content-Language: en-US
MIME-Version: 1.0
X-MAIL-FROM: <qiang.xu@fujixerox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> -----Original Message-----
> From: kerberos-bounces@mit.edu
> [mailto:kerberos-bounces@mit.edu] On Behalf Of Michael Str?der
> Sent: Tuesday, March 24, 2009 3:22 AM
> To: kerberos@mit.edu
> Subject: Re: SASL authentication
>
> Use nslookup.exe on host name and IP address. They must match.
Thanks, Michael! Using nslookup in the client Linux box, I found it is the reason why there is no outward LDAP traffic. The LDAP server (AD in Windows 2003 Server), as I said, is the primary domain controller of its own. It is also the DNS server in its own domain. I didn't recognize that this DNS server is not in the nameserver list of the client machine. No wonder it can not resolve the name. Now it is added into the file "/etc/resolv.conf":
==========================================================
search sgp.fujixerox.com sesswin2003.com /* sesswin2003.com is the domain name of the AD server */
nameserver 13.198.8.83
nameserver 13.198.96.10
nameserver 13.198.98.35 /* This is the IP Address of the domain controller with its FQDN as sesswin2003.sesswin2003.com */
==========================================================
But strangely, with this file modified, "nslookup sesswin2003" still fails. To my surprise, even in the AD itself, this command fails. So I suspect DNS in the AD is not running properly. Could you tell me where to look at in the AD to fix the DNS issue?
> > [libdefaults]
> > default_realm = durian.fujixerox.com
> > [..]
> > In this configuration file, "durian" is the hostname of the client
> > machine. Is there anything wrong with it?
>
> I'm confused. Why do you put in durian.fujixerox.com here.
>
> default_realm MUST point to a Kerberos realm. In a MS AD
> environment this is simply the upper-case DNS domain name of
> the AD domain.
durian is the hostname of the client Linux box. fujixerox.com is the domain name in which the client lies.
Yes, I also feel this is strange setting. durian.fujixerox.com is FQDN of the client, not a domain name.
But since it has nothing to do with the LDAP traffic, I don't want to change it now.
> > [realms]
> > SESSWIN2003.COM = {
> > kdc = 13.198.98.35:88
> ^^^^^^^^^^^^
> Is that the IP address of your AD domain controller? Is
> SESSWIN2003.COM your AD domain?
Yes, this is the IP address of the AD domain controller. And Yes again, SESSWIN2003.COM is my AD domain.
> > durian.fujixerox.com = {
> > kdc = kerberos.durian.fujixerox.com:88
> > admin_server = kerberos.durian.fujixerox.com:749 }
>
> Likely you should remove that.
>
> You should try to find a working setup with AD using your
> favourite search engine. Please read a little bit more what
> the different parameters really mean.
Thanks a lot,
Xu Qiang
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos